b"AAAAAAAAAAAAAAA\n\n\n\n\n                  U.S. Department of Energy\n                  Office of Inspector General\n                  Office of Inspections\n\n\n\n\n  Inspection Report\n\n Reporting of Security Incidents\n at the Lawrence Livermore National\n Laboratory\n\n\n\n\n DOE/IG-0625                                November 2003\n\x0c\x0c\xe2\x80\xa2     Did not take timely compensatory measures to mitigate the potential vulnerabilities\n      resulting from the missing master keys and master Tesa card.\n\nDuring our review we learned that during a May 2003 inventory, Livermore officials\nidentified an additional three master keys and two master Tesa cards that were missing.\nAlthough two of the three master keys had been reported missing by the Livermore Fire\nDepartment to the Protective Force Division more than three years before, the Protective\nForce Division took no action to inventory the keys or determine why the two keys were\nmissing. Recent DOE and Livermore oversight reviews of Livermore\xe2\x80\x99s safeguard and\nsecurity operations did not identify internal control weaknesses related to the control and\ninventory of master keys and master Tesa cards.\n\nAs a result of the potential security vulnerabilities caused by the missing master keys,\nLivermore eventually initiated actions to repla ce or upgrade locks at significant cost.\nLivermore officials initially estimated the cost to replace or upgrade the locks as $1.7\nmillion. This figure was challenged upon release of our draft report. However, as of the date\nof this report, officials of the National Nuclear Security Administration (NNSA) have not\nprovided a different cost figure. Ultimately, Federal taxpayers will bear this cost. We\nbelieve that Livermore failed to ensure compliance with established internal controls over the\nmaster keys and master Tesa cards, and as such, we question the allowability of these costs.\n\nMANAGEMENT REACTION\n\nManagement did not specifically state concurrence with our recommendations. However,\nmanagement identified corrective actions that NNSA believes are responsive to our\nrecommendations. These actions include implementing additional procedures and training.\n\nAlthough this is a good first step, management needs to do more to assure that Livermore\nplaces greater emphasis on the need to strictly follow its processes and procedures for\naccountability and control of security keys. Management stated that such processes are\ncaptured in site security surveys and self-assessments, but acknowledged that they were not\nfollowed in these cases. Similarly, an October 14, 2003, press article reported that a gate to a\nlimited security area at the Laboratory, a secured facility, was left unlocked. In our view, this\nlatest incident only serves to reinforce the need for greater commitment by Laboratory\nmanagement and personnel to prevent security incidents, and when they occur, to report and\nresolve them promptly.\n\nAttachment\n\ncc:    Deputy Secretary\n       Administrator, National Nuclear Security Administration\n       Under Secretary for Energy, Science and Environment\n       Manager, Livermore Site Office\n       Director, Policy and Internal Controls Management\n\x0cREPORTING OF SECURITY INCIDENTS AT THE LAWRENCE\nLIVERMORE NATIONAL LABORATORY\n\n\nTABLE OF\nCONTENTS\n\n\n              OVERVIEW\n\n              Introduction and Objectives                   1\n\n              Observations and Conclusions                  2\n\n\n              DETAILS OF FINDINGS                           4\n\n              Reporting Thresholds for Security Incidents   4\n\n              Reporting Security Incidents to DOE/NNSA      5\n\n              Additional Missing Keys                       6\n\n              Security Risk Assessments                     7\n\n              Compensatory Measures                         7\n\n              Performance Measures                          9\n\n              Oversight Reviews                             9\n\n\n              RECOMMENDATIONS                               10\n\n              MANAGEMENT COMMENTS                           11\n\n              INSPECTOR COMMENTS                            12\n\n\n              APPENDICES\n\n              A. Scope and Methodology                      13\n\n              B. Management Comments                        14\n\x0cOverview\n\nINTRODUCTION AND   Lawrence Livermore National Laboratory (Livermore) performs\nOBJECTIVES         research and development activities in support of national defense\n                   that require the highest levels of security. The University of\n                   California (UC) manages and operates Livermore under contract\n                   with the Department of Energy (DOE), which includes the\n                   National Nuclear Security Administration (NNSA).\n\n                   On May 13, 2003, Livermore officials issued a Press Release\n                   stating that a set of master keys assigned to a Livermore Protective\n                   Force Officer had been discovered missing on April 17, 2003.\n                   Later, on May 30, 2003, a Livermore official announced to\n                   employees that a master Tesa card, which is a plastic card- like key\n                   with a magnetic strip, had been discovered missing on April 12,\n                   2003.\n                   Keys and electronic entry cards are an essential component of the\n                   system of access controls at Livermore and other DOE sites.\n                   Unique keys and cards, by their nature, serve to restrict access by\n                   unauthorized individuals to specific areas that may contain\n                   classified information and materials, sensitive program, project or\n                   proprietary information, or the personal belongings of Laboratory\n                   employees. Master keys and cards, on the other hand, control\n                   access to a significant number of the facilities, buildings and\n                   offices at Livermore. Their distribution is restricted to a limited\n                   number of personnel in order to ensure the integrity of the unique\n                   key and card access control component.\n\n                   The objectives of this inspection were to determine: (1) the\n                   adequacy of internal controls at Livermore over the timely and\n                   appropriate reporting of security incidents such as the missing\n                   master keys and master Tesa cards, and the identification and\n                   correction of corresponding potential security vulnerabilities; and\n                   (2) if performance measures exist at Livermore that adequately\n                   address the reporting of such incidents.\n\n\n\n\nPage 1                        Inspection of Reporting of Security Incidents at the\n                              Lawrence Livermore National Laboratory\n\x0cOBSERVATIONS AND   We concluded that Livermore did not have adequate internal\nCONCLUSIONS        controls to ensure that security incidents involving missing master\n                   keys and master Tesa cards were reported within required\n                   timeframes, and that timely follow-up actions were taken to identify\n                   and address potential security vulnerabilities resulting from the\n                   incidents.\n\n                   Specifically, we found that Livermore security officials:\n\n                      \xe2\x80\xa2   Misinterpreted fundamental DOE reporting requirements for\n                          security incidents, and did not immediately recognize the\n                          significant security implications of the missing master keys\n                          and master Tesa card;\n\n                      \xe2\x80\xa2   Did not report the security incidents involving the missing\n                          master keys and master Tesa card to DOE/NNSA within\n                          required timeframes;\n\n                      \xe2\x80\xa2   Did not immediately assess potential security risks to identify\n                          vulnerabilities resulting from the missing master keys and\n                          master Tesa card; and\n\n                      \xe2\x80\xa2   Did not take timely compensatory measures to mitigate the\n                          potential vulnerabilities resulting from the missing master\n                          keys and master Tesa card.\n\n                   During our review we learned that Livermore officials initiated a\n                   complete inventory in May 2003, to determine the status of all\n                   master keys and master Tesa cards at Livermore. The inventory\n                   disclosed that an additional three master keys and two master Tesa\n                   cards were missing. This brought the total number of missing master\n                   keys to nine, and the total number of missing master Tesa cards to\n                   three. Two of the three missing master keys were from a set of keys\n                   that the Livermore Protective Force Division set aside for use by the\n                   Livermore Fire Department. A Fire Department official told us that\n                   the two master keys had been reported missing to the Protective\n                   Force Division over three years ago. However, the Protective Force\n                   Division took no action to inventory the keys or determine why the\n                   two keys were missing. We were told that at that time, the view of\n                   the Protective Force Division was that the set of keys contained\n                   fewer master keys than were typically found on other sets of keys,\n                   not that any master keys were missing.\n\n\n\n\nPage 2                                              Observations and Conclusions\n\x0c         Although keys and cards are only one component of the system of\n         access controls at Livermore, the loss of the master keys and master\n         Tesa cards affected the level of security afforded classified and\n         sensitive areas at Livermore. As a result of the potential security\n         vulnerabilities caused by the missing master keys, Livermore\n         eventually initiated actions to replace or upgrade locks at significant\n         cost. We were initially advised by Livermore officials that the\n         estimated cost to replace or upgr ade the locks was $1.7 million.\n         Commenting on our draft report, NNSA officials did not believe the\n         cost estimate was consistent with the Laboratory\xe2\x80\x99s expenditures or\n         numbers of locks to be replaced. However, as of the date of this\n         report, NNSA officials had not provided a revised cost figure.\n         Ultimately, Federal taxpayers will bear this cost. We believe that\n         Livermore failed to ensure compliance with established internal\n         controls over the master keys and master Tesa cards. Therefore, we\n         question the allowability of these costs.\n\n\n\n\nPage 3                                     Observations and Conclusions\n\x0cDetails of Findings\n\nREPORTING             We found that Livermore security officials misinterpreted\nTHRESHOLDS FOR        fundamental DOE reporting requirements for security incidents,\nSECURITY INCIDENTS    and did not immediately recognize the significant security\n                      implications of the missing master keys and master Tesa card.\n\nReporting             DOE Notice 471.3, \xe2\x80\x9cReporting Incidents of Security Concern,\xe2\x80\x9d\nRequirements          establishes four reporting thresholds for incidents of a security\n                      concern under an Impact Measurement Index (IMI) system. The\n                      highest reporting threshold, IMI-1, is for \xe2\x80\x9cAny security incident\n                      that can be expected to cause serious damage to national security\n                      or DOE security interests.\xe2\x80\x9d The lowest reporting threshold, IMI-4,\n                      is for \xe2\x80\x9cAny security incident that causes no damage to national\n                      security, but that can, in combination, indicate weakened security\n                      awareness or inadequate procedures or practices.\xe2\x80\x9d\n\n                      At Livermore, the Safeguards and Security Department's Office of\n                      Incidents and Infractions is the responsible entity for reporting\n                      security incidents to DOE in accordance with DOE Notice 471.3.\n                      This office relies, in part, on the Protective Force Division\n                      providing reports on individual incidents that have occurred at\n                      Livermore so that a reporting determination under DOE Notice\n                      471.3 can be made.\n\n                      A Livermore security official informed us that on two occasions\n                      immediately following the loss of the set of master keys on\n                      April 17, 2003, a review was conducted of the security incident\n                      reporting criteria. According to the official, the reviews did not\n                      identify a need to report the loss of the master keys to DOE. The\n                      official said that another Livermore security employee discussed\n                      the loss of the keys with Livermore\xe2\x80\x99s Office of Incidents and\n                      Infractions and was told by that office that the loss of the master\n                      keys did not require reporting to DOE. According to an employee\n                      in the Office of Incidents and Infractions, his review of the IMI\n                      reporting categories in the DOE Notice did not identify a specific\n                      reference to \xe2\x80\x9cmissing master keys,\xe2\x80\x9d but it was unclear in his mind\n                      whether or not the loss of the keys was reportable.\n\n                      The loss of a master Tesa card on April 12, 2003, was not\n                      reviewed by the Office of Incidents and Infractions for reporting\n                      under DOE Notice 471.3 until the office received an Incident\n                      Report from the Protective Force Division on or about May 30,\n                      2003. The loss of the master Tesa card was reported at that time as\n                      an IMI-4 incident.\n\n\n\n\nPage 4                                                              Details of Findings\n\x0cSecurity Implications              Although the set of master keys and the master Tesa card opened\n                                   locks leading to some of the most sensitive areas of the Laboratory,\n                                   Protective Force Division officials did not perceive the loss as having\n                                   the potential to cause damage to national security or DOE security\n                                   interests. A Protective Force Division official advised us that they had\n                                   lost keys before and that the keys had always turned up. The official\n                                   told us that when the set of master keys did not turn up after a few\n                                   days of extensive searching, the Protective Force Division became\n                                   involved in other security issues and did not focus on the security\n                                   implications of the missing keys. In addition, the official stated that\n                                   the Protective Force Division was not aware that during the period that\n                                   the master keys were missing, a master Tesa card was also missing.\n                                   The Protective Force Division did not consider the security\n                                   implications of the double failure 1 resulting from the two types of\n                                   master keys (i.e., keys and Tesa card) being missing at the same time.\n\n                                   After Livermore senior management became aware of the missing\n                                   master keys on May 5, 2003, the Office of Incidents and Infractions\n                                   classified the incident at the lowest reporting threshold, IMI-4, that is,\n                                   a security incident \xe2\x80\x9cthat causes no damage to national security.\xe2\x80\x9d It\n                                   was not until the intervention of a senior NNSA official on May 9,\n                                   2003, that the Office of Incidents and Infractions re-evaluated the\n                                   incident and reclassified it as an IMI-2, which is defined as \xe2\x80\x9cAny\n                                   security incident that can be expected to cause damage to national\n                                   security or DOE security interests.\xe2\x80\x9d\n\nREPORTING                          We found that Livermore security officials did not report the\nSECURITY INCIDENTS                 security incidents involving the missing master keys and master\nTO DOE/NNSA                        Tesa card to DOE/NNSA within required timeframes.\n\nDOE Notice                         DOE Notice 471.3 states that a facility has 24 hours to determine if\n                                   a security incident should be reported. If the incident should be\n                                   reported, it must be categorized under the IMI system. The most\n                                   serious category of security incidents, IMI-1, must be reported to\n                                   DOE within one hour after categorization; IMI-2 and IMI-3\n                                   incidents must be reported within 8 hours; and summaries of IMI-4\n                                   incidents are to be reported monthly.\n\n                                   However, these incidents were not reported to DOE/NNSA until\n                                   weeks after they were first recognized. Specifically:\n\n                                   \xe2\x80\xa2   The master Tesa card discovered missing on April 12, 2003,\n                                       was not reported to DOE/NNSA until May 30, 2003.\n\n1\n  A double failure occurs when the two primary types of security locks protecting the same area are compromised at\nthe same time.\n\n\n\nPage 5                                                                                   Details of Findings\n\x0c               \xe2\x80\xa2   The set of six master keys discovered missing on April 17,\n                   2003, was not reported to DOE/NNSA until May 5, 2003.\n\n               We learned that Protective Force Division officials had no\n               immediate plans of reporting the missing keys to Livermore\n               management or DOE. A Protective Force Division official advised\n               us that the issue of the missing keys was on a list of things to\n               discuss with higher management, but the issue was never\n               discussed. The missing keys went unreported until May 5, 2003,\n               when an alert employee in the Livermore Locks and Keys Shop\n               became aware of an attempt by the Protective Force Division to\n               have a duplicate set of the master keys made to replace the missing\n               set, and promptly alerted security officials in the Safeguards and\n               Security Department of the missing master keys.\n\n               Similarly, the missing master Tesa card went unreported until\n               May 30, 2003. Although the Protective Force Division Incident\n               Report was dated April 12, 2003, the Office of Incidents and\n               Infractions did not receive the report until an employee in the\n               Safety, Security and Environmental Protection Directorate alerted\n               senior Livermore management about the missing master Tesa card.\n\nADDITIONAL     We found that Livermore security officials could not determine\nMISSING KEYS   how long other master keys and master Tesa cards had been\n               missing.\n\n               In May 2003, Livermore security officials initiated a complete\n               inventory to determine the status of all master keys and master Tesa\n               cards. The inventory disclosed that an additional three master keys\n               and two master Tesa cards were missing. Two of the three missing\n               master keys were on a set of keys used by the Livermore Fire\n               Department. A Fire Department official told us that the two master\n               keys had been reported missing to the Protective Force Division over\n               three years ago. However, the Protective Force Division took no\n               action to inventory the keys or determine why the two keys were\n               missing. At that time, the view of the Protective Force Division was\n               that the set of keys contained fewer master keys than were typically\n               found on other sets of keys, not that any master keys were missing.\n\n               The two missing master Tesa cards had been placed in storage by\n               the Protective Force Division. The Protective Force Division\n               could not locate the two master Tesa cards during the inventory.\n\n               Livermore security officials were unable to ascertain when the\n               master keys and master Tesa cards were lost. Based on our review,\n               we concluded that Livermore did not have adequate inventory\n\n\n\nPage 6                                                       Details of Findings\n\x0c                controls over its master keys and master Tesa cards. We consider\n                such controls to be a fundamental part of the security regime at an\n                institution like Livermore that is responsible for conducting highly\n                classified and sensitive activities in support of national defense.\n                Upon completion of the May 2003 inventory, Livermore officials\n                notified DOE/NNSA of the additional missing master keys and\n                master Tesa cards.\n\nSECURITY RISK   We found that Livermore security officials did not immediately\nASSESSMENTS     assess potential security risks to identify vulnerabilities resulting\n                from the missing master keys and master Tesa card.\n\n                The master keys were missing for over two weeks before any\n                consideration was given to assessing potential security risks to\n                identify possible vulnerabilities. On May 6, 2003, a Safeguards\n                and Security Department official directed that a risk assessment be\n                conducted, which included the most sensitive areas of the\n                Laboratory. A Livermore Safeguards and Security Department\n                official then directed the conduct of a second risk assessment that\n                included national security assets such as classified matter,\n                unclassified controlled nuclear information, high explosives,\n                biological assets, Category IV Special Nuclear Material (SNM)\n                and firearms.\n\n                The master Tesa card was missing for 32 days before a notification\n                was made to Livermore program officials. On May 14, 2003,\n                Safeguards and Security Department officials informed Laboratory\n                program officials of the loss and the need for assessing potential\n                security risks. During this meeting the security implications of the\n                double failure were discussed for the first time, one month after the\n                double failure condition occurred.\n\nCOMPENSATORY    We found that Livermore security officials did not take timely\nMEASURES        compensatory measures to mitigate the potential vulnerabilities\n                resulting from the missing master keys and master Tesa card.\n\n                Protective Force Division officials took no compensatory measures\n                to address potential security vulnerabilities associated with the\n                missing master keys and master Tesa card prior to May 6, 2003. A\n                Protective Force Division official advised us that they were not\n                aware of the double failure resulting from the combination of the\n                missing master keys and master Tesa card until a meeting in early\n                May 2003. However, the official said that compensatory measures\n                should have been taken with respect to the missing master keys\n                anyway. According to the official, the focus at the time was on\n                finding the keys, and that when the keys were not found, their\n\n\n\nPage 7                                                           Details of Findings\n\x0c                                    focus changed to other protective force issues and they did not\n                                    address the issue of compensatory measures.\n\n                                    Short-term compensatory measures, which were the result of\n                                    intervention by Livermore management outside the Protective\n                                    Force Division, were not initiated until May 6, 2003. These\n                                    measures, which consisted of block-out blades, door seals, re-\n                                    keying, suspension of the day- lock-rule 2 , and installation of\n                                    additional Tesa locks, were completed a month or more after the\n                                    master keys and master Tesa card were discovered missing.\n\n                                    The dates of discovery of the respective missing master keys and\n                                    master Tesa cards and the dates they were reported to DOE/NNSA\n                                    as missing are shown in Figure 1.\n\n                                             Summary of Missing Master Keys and Tesa Cards\n\n\n\n                                                 Type of                  Date                   Date\n                                                  Key                    Missing                Reported\n\n                                            1 Master Tesa          April 12, 2003           May 30, 2003\n                                            6 Master Keys          April 17, 2003           May 5, 2003\n                                            2 Master Keys          3 or more years 3        May 30, 2003\n                                            1 Master Key           Indeterminate            May 31, 2003\n                                                                   Period\n                                            2 Master Tesa          Indeterminate            June 2, 2003\n                                                                   Period\n\n                                                                        Figure 1\n\nCorrective                          We were advised by an NNSA official that on June 12, 2003, the\nAction Plans                        NNSA Livermore Site Office issued three major findings to\n                                    Livermore related to security locks and keys. We were also advised\n                                    that by July 2003, formal corrective action plans to correct\n                                    vulnerabilities in security incident reporting and security key\n                                    control and inventory procedures were in place. According to the\n                                    NNSA official, Livermore ha s completed several corrective action\n                                    plan milestones, which will be validated by the Livermore Site\n                                    Office by the end of December 2003.\n\n2\n  The day-lock-rule allows classified materials to be left unattended for brief periods provided that other security\nmeasures (i.e. items secured in a locked room) are in place to prevent unauthorized access.\n3\n  Keys reported by the Livermore Fire Department as missing more than three years ago.\n\n\n\nPage 8                                                                                       Details of Findings\n\x0cCost of Lock   With reliance on a complex lock, key, and Tesa card security\nReplacement    strategy at Livermore to prevent access to classified and sensitive\n               areas, there is little doubt that the level of security afforded these\n               areas was adversely affected. Livermore officials initially advised\n               us that, in the long-term, the loss of the master keys would require\n               the replacement and upgrade of approximately 100,000 locks in\n               both classified and unclassified areas within 526 buildings. They\n               also initially estimated the total cost of this lock replacement\n               project, which also includes upgrading existing locks, at\n               approximately $1.7 million. However, as of the date of this report,\n               NNSA officials had not validated this figure as accurate.\n\n               UC is required by Clause I.062 of its contract with DOE to have\n               methods and procedures in place to reasonably ensure that the\n               mission and functions assigned to the contractor are efficiently and\n               properly executed, and that resources are safeguarded against\n               waste, loss, and mismanagement. As reported by an internal\n               Livermore review team, Livermore violated its internal control\n               procedures for the control and accountability of master keys. This\n               resulted in the need to replace and upgrade locks, and take other\n               compensatory measures. We were told that prior to the loss of the\n               master keys in April 2003, no such lock replacement project had\n               been planned. Based on Livermore\xe2\x80\x99s failure to exercise due\n               diligence in performing its contractual responsibilities, we question\n               whether these costs are allowable.\n\nPERFORMANCE    Our review of the contractor performance self-assessment criteria\nMEASURES       for Fiscal Year 2003 revealed that a specific statement to \xe2\x80\x9cConduct\n               analysis of [the] incident pertaining to key control and\n               accountability\xe2\x80\x9d was added to the Livermore Safeguards and\n               Security Assessment Management Plan in June 2003. We were\n               told by a senior NNSA Livermore Site Office official that a\n               Livermore self-assessment performance review of the results of\n               Fiscal Year 2003 Safeguards and Security operations will be\n               conducted and that it will include the missing key incidents\n               detailed in this report.\n\nOVERSIGHT      Recent DOE and Livermore oversight reviews of Livermore\xe2\x80\x99s\nREVIEWS        safeguards and security operations prior to the disclosure of the\n               missing master keys and missing ma ster Tesa card, did not identify\n               internal control weaknesses related to the control and inventory of\n               master keys and master Tesa cards. Guides developed by various\n               organizations to plan and conduct these reviews suggest that processes\n               should be reviewed to determine whether procedures are in place to\n               adequately control keys and locks. However, none of these oversight\n               reviews identified the key control and inventory weaknesses at\n\n\n\nPage 9                                                         Details of Findings\n\x0c                  Livermore that allowed master keys and Tesa cards to go missing for\n                  an extended period of time without detection.\n\n                  Several security surveys and self-assessments performed by NNSA\n                  and Livermore since 2000 did not report any issues relating to key\n                  control and inventories. These reviews consistently rated topical areas\n                  that included key control and inventories as \xe2\x80\x9csatisfactory.\xe2\x80\x9d Although a\n                  2003 security survey verified the existence of lock and key records and\n                  procedures, the survey did not evaluate the accuracy or effective ness\n                  of the records and procedures in controlling and accounting for keys.\n\n                  In comments to our draft report, the NNSA Associate\n                  Administrator for Management and Administration stated that\n                  although NNSA believes the processes in place related to the\n                  security of keys are captured in the surveys and self- assessments,\n                  the established processes and procedures were not followed. He\n                  stated that NNSA will provide a copy of our recommendations and\n                  NNSA\xe2\x80\x99s expectations to the Site Office Managers for their\n                  inclusion in their respective oversight processes.\n\n                  We believe that future field site security surveys and self-assessments\n                  should include a review of internal controls relating to the issuance,\n                  receipt, and inventory of keys that provide access to sensitive areas.\n\n                  We noted that a 2002 DOE assessment of physical security systems at\n                  Livermore included a review of barriers protecting special nuclear\n                  material facilities. The missing master keys and Tesa cards accessed\n                  locks in some of these facilities. The assessment report was silent\n                  regarding whether master keys and Tesa cards were included in the\n                  review. However, Livermore physical security systems received a\n                  rating of \xe2\x80\x9cEFFECTIVE PERFORMANCE.\xe2\x80\x9d\n\nRECOMMENDATIONS   We recommend that the Administrator, National Nuclear Security\n                  Administration:\n\n                  1. Ensure that field site security surveys and self-assessments\n                     include a review of internal controls relating to the issuance,\n                     receipt, and inventory of all keys involving sensitive areas.\n\n                  We also recommend that the Manager, Livermore Site Office:\n\n                  2. Review the costs incurred by Livermore to replace and upgrade\n                     approximately 100,000 locks necessitated by the missing\n                     master keys and master Tesa cards, to determine whether the\n                     costs are reasonable and allowable.\n\n\n\nPage 10                                                         Recommendations\n\x0c             3. Ensure that Livermore establishes appropriate internal controls\n                to correctly identify reportable incidents, and that such\n                incidents are reported in a timely manner.\n\n             4. Ensure that Livermore officials responsible for categorizing\n                incidents reportable under DOE Notice 471.3 are trained to\n                properly determine the appropriate IMI classification level of\n                security incidents.\n\n             5. Ensure that internal controls are established by Livermore that\n                promote the timely assessment of vulnerabilities resulting from\n                security incidents, and the prompt implementation of\n                compensatory measures.\n\n             6. Ensure that Livermore has established appropriate internal\n                controls for the management and inventory of master keys and\n                master Tesa cards.\n\nMANAGEMENT   In comments to our draft report, the NNSA Associate\nCOMMENTS     Administrator for Management and Administration stated that\n             the report is consistent with the findings of Laboratory, Livermore\n             Site Office, University of California and NNSA reviews of the\n             security locks and keys incidents. While the Associate\n             Administrator did not specifically state concurrence with our\n             recommendations, he identified corrective actions taken by the\n             Livermore Site Office and the Laboratory that he believed were\n             responsive to our recommendations.\n\n             Regarding recommendation 1, the Associate Administrator\n             acknowledged that while processes related to security of keys are\n             captured in surveys and self-assessments, the established policies\n             and procedures were not being followed. He stated that NNSA\n             will provide a copy of our recommendations and NNSA\xe2\x80\x99s\n             expectations to the Site Office Managers for their inclusion in their\n             respective oversight processes.\n\n             Regarding recommendation 2, the Associate Administrator stated\n             that the contracting officer already determined that the costs\n             incurred to change the locks are allowable and reasonable under\n             the terms of the contract, and NNSA did not believe that the matter\n             requires an \xe2\x80\x9cAllowability of Cost Determination.\xe2\x80\x9d However, he\n             advised that NNSA is requesting a General Counsel opinion as to\n             what warrants an \xe2\x80\x9cAllowability of Cost Determination.\xe2\x80\x9d In\n             addition, the Associate Administrator did not believe the $1.7\n             million figure stated in our draft report to replace or upgrade\n\n\n\nPage 11                                             Management Comments\n\x0c            approximately 100,000 locks was consistent with the Laboratory\xe2\x80\x99s\n            expenditures or number of locks being replaced. The Associate\n            Administrator did not provide figures for the actual cost and\n            numbers of locks to be replaced. In addition, as of the date of this\n            report, NNSA has not provided these figures.\n\n            Regarding recommendations 3, 4, 5, and 6, the Associate\n            Administrator identified ongoing and completed corrective actions\n            taken by the Livermore Site Office and Laboratory management\n            that he felt were responsive to our recommendations.\n\n            The complete text of management\xe2\x80\x99s comments are attached at\n            Appendix B.\n\nINSPECTOR   Management\xe2\x80\x99s actions appear responsive to the report\nCOMMENTS    recommendations. However, we do not agree that the total cost of\n            replacing and upgrading the locks are \xe2\x80\x9cpart of the normal cost of\n            doing business.\xe2\x80\x9d Livermore did not follow its internal procedures\n            for the control and accountability of master keys and master Tesa\n            cards, which created a security vulnerability that resulted in the\n            need to replace and upgrade a significant number of locks. By not\n            complying with its contractual responsibilities, the Laboratory\n            unnecessarily incurred a substantial cost that we believe is\n            unallowable and should not be borne by the taxpayer.\n\n            Management identified actions implemented by the Livermore Site\n            Office and the Laboratory to ensure proper reporting of incidents\n            such as the missing master keys and master Tesa cards. These\n            actions included implementation of additional procedures and\n            training. We believe these actions are a good first step to address\n            the problems discussed in our report. However, as acknowledged\n            by the Associate Administrator, in specific instances established\n            processes and procedures were not followed. Therefore, in\n            addition to issuing additional procedures, we believe management\n            should assure that a culture exists wherein individuals will fully\n            implement the procedures.\n\n\n\n\nPage 12                                                 Inspector Comments\n\x0cAppendix A\n\nSCOPE AND     The fieldwork for this inspection was conducted between May and\nMETHODOLOGY   July 2003. We interviewed numerous Livermore and NNSA\n              Livermore Site Office officials regarding their knowledge of the\n              missing master keys and master Tesa cards. We also reviewed\n              available documentation from the Livermore internal and external\n              review teams that evaluated the missing master key and master\n              Tesa card incidents. The documentation that we reviewed\n              included:\n\n                 \xe2\x80\xa2   Incident Assessment Team Report: Key Incident of\n                     April 17, 2003.\n                 \xe2\x80\xa2   Independent External Review Team \xe2\x80\x9cReport on the\n                     Lawrence Livermore National Laboratory Security Key\n                     Incident.\xe2\x80\x9d\n                 \xe2\x80\xa2   Incident Analysis Team Report dated May 30, 2003.\n                 \xe2\x80\xa2   Master Tesa Inventory Process Report (Revision 1),\n                     dated June 6, 2003.\n                 \xe2\x80\xa2   Lawrence Livermore National Laboratory \xe2\x80\x9cLocks and Keys\n                     Guide.\xe2\x80\x9d\n                 \xe2\x80\xa2   Fiscal Year 2003 Appendix F, Performance Assessment\n                     Mid-Year Review.\n                 \xe2\x80\xa2   Integrated Safeguards and Security Management Project\n                     Plan, dated December 14, 2001.\n                 \xe2\x80\xa2   LLNL Implementation Guidelines for Fiscal Year 2003\n                     Appendix F Performance Objectives and Measures.\n\n              We also reviewed the contract between DOE and the University of\n              California for the management and operation of Lawrence\n              Livermore National Laboratory, as well as:\n\n                 \xe2\x80\xa2   DOE Notice 471.3, \xe2\x80\x9cReporting Incidents of Security\n                     Concern.\xe2\x80\x9d\n                 \xe2\x80\xa2   DOE Notice 473.8, \xe2\x80\x9cSecurity Conditions.\xe2\x80\x9d\n\n              This inspection was conducted in accordance with the \xe2\x80\x9cQuality\n              Standards for Inspections\xe2\x80\x9d issued by the President\xe2\x80\x99s Council on\n              Integrity and Efficiency.\n\n\n\n\nPage 13                                               Scope and Methodology\n\x0cAppendix B\n\n\n\n\nPage 14      Management Comments\n\x0cPage 15   Management Comments\n\x0cPage 16   Management Comments\n\x0cPage 17   Management Comments\n\x0c                                                                    IG Report No. DOE/IG-0625\n\n                           CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of its\nproducts. We wish to make our reports as responsive as possible to our customers\xe2\x80\x99 requirements,\nand, therefore, ask that you consider sharing your thoughts with us. On the back of this form,\nyou may suggest improvements to enhance the effectiveness of future reports. Please include\nanswers to the following questions if they are applicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or\n   procedures of the inspection would have been helpful to the reader in understanding this\n   report?\n\n2. What additional information related to findings and recommendations could have been\n   included in the report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\xe2\x80\x99s overall\n   message more clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the issues\n   discussed in this report which would have been helpful?\n\n5. Please include your name and telephone number so that we may contact you should we have\n   any questions about your comments.\n\n\nName                                          Date\n\nTelephone                                     Organization\n\n\nWhen you have completed this form, you may telefax it to the Office of Inspector General at\n(202) 586-0948, or you may mail it to:\n\n                               Office of Inspector General (IG-1)\n                                     Department of Energy\n                                    Washington, DC 20585\n\n                                  ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact Wilma Slaughter at (202) 586-1924.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly and cost\n  effective as possible. Therefore, this report will be available electronically through the Internet at the\n                                             following address:\n\n                   U.S. Department of Ene rgy Office of Inspector General Home Page\n                                        http://www.ig.doe.gov\n\n       Your comments would be appreciated and can be provided on the Customer Response Form\n                                      attached to the report.\n\x0c"